Seattle Area System Administrators Guild

Web Application Security is still a hot topic in the security industry, especially with the recent Payment Card Industry (PCI) requirement coming into full effect requiring code review of web applications or a web application firewall. Despite all this attention, developers are not always familiar with the basic attacks against web applications and the abundance of tools available to assist malicious individuals in automating attacks. This talk will demonstrate some basic attacks against web applications including SQL Injection, Cross-Site Scripting, and Privilege Escalation. In addition, common tools that automate these attacks with merely the click of a button will be demonstrated. Finally, options for securing web services without diving into code will be discussed to assist administrators in making a more secure network.

—–

Damon Cortesi has worked in network and application security for nearly a decade, beginning his work as a Systems and Security Administrator, where he was responsible for the security of several NT systems exposed to the internet without a firewall. Most recently he was on a long-term engagement overseas helping a large retail company secure their web applications and is now back in Seattle full-time doing freelance security consulting and developing tools to ease security management.

From Microsoft:

Microsoft is conducting a usability study to gain insight into what you would like to see in the next version of Active Directory Users and Computers and how this tool impacts your job function. We want to learn from you, the experts, to determine what needs to be improved in our software. This is a great opportunity for you to provide feedback and help ensure the features you want, make it into ADUC’s next version.

We are recruiting individuals who:

• Have experience working with Active Directory Users and Computers

• Are available for a 2 hour study session between July 28 to August 1, 2008

• Can make it to Microsoft’s main campus in Redmond, Washington

We highly value your feedback and will be offering you a gratuity option in appreciation of your time and participation.

If you are interested or know someone who might be interested in participating, please email us at itusable@microsoft.com with ADUC in the subject line.

The U.S. data center industry is in the midst of a major growth period fueled by increasing demand for data processing and storage. As demands on data centers increase, and power usage and costs rise, the industry is looking for ways to increase efficiency. There is significant potential for energy-efficiency improvements in servers and in data centers today using methods and technologies currently available. Sustainable computing is not a hardware choice: it is a methodology. In situations where ecological concerns and business interests intersect, there is no single solution that will result in “green computing”, but a comprhensive approach toward energy efficiency can yield signifcant improvements in data center energy usage.

—–

David Bryan is one of the founders of Silicon Mechanics and the company’s product development visionary. He guided the development of key innovations, including its online cluster configurator, blade configurator and dynamic power calculator applications. He holds a BS in Electrical Engineering from the University of Washington.

This talk will discuss implementing the Puppet configuration management tool for Mac workstations.  We will talk about why Puppet was choosen over other tools, how Puppet was bootstrapped onto the workstations, some of the issues we have overcome (and some that are still open), a few of the benefits of using Puppet, and plans for the future with Puppet at Northshore School District.

—–

Ski Kacoroski is the Unix System Admin for the Northshore School District where is spends his time bemused by the differences between the Linux, Solaris, Mac and Windows machines he is responsible for managing.   In his free time he loves to hike, bike, and, along with his daughters, is a member of King County Explorer Search & Rescue.

Just wanted to drop a line for those who may not closely read the
meeting announcement, but we’ve been moved from our normal room 403 to
room 303. That should be just for this meeting.

–
Scott McDermott

While it may not be as sexy as they make it look on TV, there are a number of powerful Open Source tools available for analyzing file systems and recovering data– even data that may have been deleted by the attacker. This talk will start with an overview of the standard Unix file system architecture and discuss tools for imaging file systems, suggest useful idioms for detecting signs of a break-in, and cover how to discover “interesting” data from deleted files and re-assemble that data into an actual file image.

—–

Hal Pomeranz is the founder and technical lead of Deer Run Associates, and has been active in the system and network management/security field for over twenty years. As a senior member of the Faculty for the SANS Institute, Hal developed the SANS “Step-by-Step” course model and currently serves as the track coordinator and primary instructor for the SANS/GIAC Unix Security Certification track (GCUX). In 2001 he was given the SAGE Outstanding Achievement Award for his teaching and leadership in the field of System Administration.

Many people in the Unix and other computing communities accept without question the fact that we need infrastructure to make things work. We accept this without actually thinking about _why_ we need infrastructure, what infrastructure is, or even how we make an ‘infrastructure’.

On the flip side there are managers, users, and even computing professionals who not only don’t know what an infrastructure is but question the very basis of the assumption that such a beast is of any use, let alone desirable. They know their desktop system or the computer they have at home works and don’t see a need to go beyond that.

This talk will start with a basic analysis of what constitutes an infrastructure. It will then touch on why such a thing is often necessary.

Along the way we will briefly examine the difference between an infrastructure for supporting computing in general (”infrastructure architecture”) versus one for specific application support (”application architecture”) - which is needed when and why.

We’ll take a moment to look at at some basic needs - both hardware and software. We will see why things like common account information and network clocks are vital to a successful infrastructure. We will look at the differences between homogeneous and heterogeneous infrastructures. We will see that while no one solution works for everyone there are some basics that you can’t do without.

We will take side journeys into hardware needs - computer rooms/data-centers, network designs, upstream connections, etc - and put all of that together with a scale-to-fit-needs discussion to answer the basic question: “Why infrastructure?”

—–

Lee Damon has been a Unix system administrator since 1985 and has been active in SAGE since its inception. He assisted in developing a mixed AIX/SunOS environment at IBM Watson Research and has developed mixed environments for Gulfstream Aerospace and QUALCOMM. He is currently leading the development effort for the Nikola project at the University of Washington Electrical Engineering department. Among other professional activities, he is a charter member of LOPSA and SAGE and past chair of the SAGE Ethics and Policies working groups, and he was the chair of LISA ‘04. He was awarded SAGE’s 2003 Outstanding Achievement Award “for service to SAGE and the system administration profession as a whole.”

Come with your questions, ideas, and problems and the group will help you find answers and solutions.

The open source Nagios project has been in wide use for a number of years for monitoring of IT infrastructure. Learn how Nagios can be coupled with other open source tools for monitoring of large environments which contain a mix of operating systems and device types. A key aim of this talk is to prompt discussion of monitoring problems you face today and provide possible solutions using open source tools.

Dave Blunt currently manages Professional Services for GroundWork Open Source, Inc. and has previously held roles as system administrator, systems architect, manager of internal and production IT organizations, and IT consultant.

As a reminder, our next meeting is tonight at 7pm. Ski Kacoroski will be talking about Lessons learned on implementing a large scale NAS.